Google Cloud Platform Project Default Service Accounts
This page shows how to write Terraform for Cloud Platform Project Default Service Accounts and write them securely.
google_project_default_service_accounts (Terraform)
The Project Default Service Accounts in Cloud Platform can be configured in Terraform with the resource name google_project_default_service_accounts
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "google_project_default_service_accounts" "not_ok" {
project = "my-project-id"
action = "DELETE"
id="1234"
}
resource "google_project_default_service_accounts" "not_ok" {
project = "my-project-id"
action = "DELETE"
id="1234"
}
resource "google_project_default_service_accounts" "default" {
project = data.google_project.default.project_id
action = "DEPRIVILEGE"
}
resource "google_project_default_service_accounts" "not_ok" {
project = "my-project-id"
action = "DELETE"
id="1234"
}
resource "google_project_default_service_accounts" "globus" {
project = var.project_id
action = "DEPRIVILEGE"
}
# COMPUTE ENGINE COMMON CONFIGURATION
Parameters
-
action
required - string
The action to be performed in the default service accounts. Valid values are: DEPRIVILEGE, DELETE, DISABLE. Note that DEPRIVILEGE action will ignore the REVERT configuration in the restore_policy.
The project ID where service accounts are created.
-
restore_policy
optional - string
The action to be performed in the default service accounts on the resource destroy. Valid values are NONE, REVERT and REVERT_AND_IGNORE_FAILURE. It is applied for any action but in the DEPRIVILEGE.
-
service_accounts
optional computed - map from string to string
The Service Accounts changed by this resource. It is used for revert the action on the destroy.
Explanation in Terraform Registry
Allows management of Google Cloud Platform project default service accounts. When certain service APIs are enabled, Google Cloud Platform automatically creates service accounts to help get started, but this is not recommended for production environments as per Google's documentation. See the Organization documentation for more details.
WARNING Some Google Cloud products do not work if the default service accounts are deleted so it is better to
DEPRIVILEGE
as Google CAN NOT recover service accounts that have been deleted for more than 30 days. Also Google recommends using theconstraints/iam.automaticIamGrantsForDefaultServiceAccounts
constraint to disable automatic IAM Grants to default service accounts. This resource works on a best-effort basis, as no API formally describes the default service accounts and it is for users who are unable to use constraints. If the default service accounts change their name or additional service accounts are added, this resource will need to be updated.
Tips: Best Practices for The Other Google Cloud Platform Resources
In addition to the google_project, Google Cloud Platform has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
google_project
Ensure project-level default network creation is disabled
It is better to disable the auto-creation of default networks. The default network for a GCP project is usually configured coarsely, leaving the risk of unwanted access to resources in the network.
Frequently asked questions
What is Google Cloud Platform Project Default Service Accounts?
Google Cloud Platform Project Default Service Accounts is a resource for Cloud Platform of Google Cloud Platform. Settings can be wrote in Terraform.
Where can I find the example code for the Google Cloud Platform Project Default Service Accounts?
For Terraform, the SnidermanIndustries/checkov-fork, melscoop-test/check and seankhliao/mono source code examples are useful. See the Terraform Example section for further details.